Announcing new releases Alpha 3572.0.1, Beta 3549.1.1, Stable 3510.2.1, LTS 3033.3.12

16 views
Skip to first unread message

Flatcar Container Linux User

unread,
Apr 25, 2023, 12:08:24 PM4/25/23
to Flatcar Container Linux User

Hello,
We are pleased to announce a new Flatcar Container Linux release for the Alpha, Beta, Stable and LTS channel.

New Alpha Release 3572.0.1

Changes since Alpha 3572.0.0

Security fixes:Bug fixes:
  • Fixed the broken emerge-gitclone in the dev-container owing to the missing migration action around the unification of the Flatcar core repositories
Changes:
  • The package upgrade for nvidia-drivers might result in not supporting a few of the older NVIDIA Tesla GPUs. If you are facing issues, set NVIDIA_DRIVER_VERSION=460.106.00 in /etc/flatcar/nvidia-metadata
Updates:New Beta Release 3549.1.1

Changes since Beta 3549.1.0

Security fixes:Bug fixes:
  • Fixed systemd journal logs persistency on the first boot (flatcar#1005)
  • Fixed the broken emerge-gitclone in the dev-container owing to the missing migration action around the unification of the Flatcar core repositories
Changes:
  • The package upgrade for nvidia-drivers might result in not supporting a few of the older NVIDIA Tesla GPUs. If you are facing issues, set NVIDIA_DRIVER_VERSION=460.106.00 in /etc/flatcar/nvidia-metadata
Updates:New Stable Release 3510.2.1

Changes since Stable 3510.2.0

Security fixes:Bug fixes:
  • Fixed the broken emerge-gitclone in the dev-container owing to the missing migration action around the unification of the Flatcar core repositories
Changes:
  • The package upgrade for nvidia-drivers might result in not supporting a few of the older NVIDIA Tesla GPUs. If you are facing issues, set NVIDIA_DRIVER_VERSION=460.106.00 in /etc/flatcar/nvidia-metadata
Updates:New LTS Release 3033.3.12

Changes since LTS 3033.3.11

Security fixes:Bug fixes:
  • Fix the broken emerge-gitclone in the dev-container owing to the missing migration action around the unification of the Flatcar core repositories
Changes:
  • The package upgrade for nvidia-drivers might result in not supporting a few of the older NVIDIA Tesla GPUs. If you are facing issues, set NVIDIA_DRIVER_VERSION=460.106.00 in /etc/flatcar/nvidia-metadata
Updates:Detailed Security Report

Security fixes: With the Alpha 3572.0.1, Beta 3549.1.1, Stable 3510.2.1, LTS 3033.3.12 release(s) we ship the fixes for the following CVEs

  • Linux (Stable)

    • CVE-2022-4269 CVSSv3 score: 5.5(Medium)
      A flaw was found in the Linux kernel Traffic Control (TC) subsystem. Using a specific networking configuration (redirecting egress packets to ingress using TC action "mirred") a local unprivileged user could trigger a CPU soft lockup (ABBA deadlock) when the transport protocol in use (TCP or SCTP) does a retransmission, resulting in a denial of service condition.

    • CVE-2022-4379 CVSSv3 score: 7.5(High)
      A use-after-free vulnerability was found in __nfs42_ssc_open() in fs/nfs/nfs4file.c in the Linux kernel. This flaw allows an attacker to conduct a remote denial

    • CVE-2023-1076 CVSSv3 score: 5.5(Medium)
      A flaw was found in the Linux Kernel. The tun/tap sockets have their socket UID hardcoded to 0 due to a type confusion in their initialization function. While it will be often correct, as tuntap devices require CAP_NET_ADMIN, it may not always be the case, e.g., a non-root user only having that capability. This would make tun/tap sockets being incorrectly treated in filtering/routing decisions, possibly bypassing network filters.

    • CVE-2023-1077 CVSSv3 score: 7.8(High)
      In the Linux kernel, pick_next_rt_entity() may return a type confused entry, not detected by the BUG_ON condition, as the confused entry will not be NULL, but list_head.The buggy error condition would lead to a type confused entry with the list head,which would then be used as a type confused sched_rt_entity,causing memory corruption.

    • CVE-2023-1079 CVSSv3 score: 6.8(Medium)
      A flaw was found in the Linux kernel. A use-after-free may be triggered in asus_kbd_backlight_set when plugging/disconnecting in a malicious USB device, which advertises itself as an Asus device. Similarly to the previous known CVE-2023-25012, but in asus devices, the work_struct may be scheduled by the LED controller while the device is disconnecting, triggering a use-after-free on the struct asus_kbd_leds *led structure. A malicious USB device may exploit the issue to cause memory corruption with controlled data.

    • CVE-2023-1118 CVSSv3 score: 7.8(High)
      A flaw use after free in the Linux kernel integrated infrared receiver/transceiver driver was found in the way user detaching rc device. A local user could use this flaw to crash the system or potentially escalate their privileges on the system.

    • CVE-2023-1611 CVSSv3 score: 6.3(Medium)
      A use-after-free flaw was found in btrfs_search_slot in fs/btrfs/ctree.c in btrfs in the Linux Kernel.This flaw allows an attacker to crash the system and possibly cause a kernel information lea

    • CVE-2023-1670 CVSSv3 score: 7.8(High)
      A flaw use after free in the Linux kernel Xircom 16-bit PCMCIA (PC-card) Ethernet driver was found.A local user could use this flaw to crash the system or potentially escalate their privileges on the system.

    • CVE-2023-1829 CVSSv3 score: n/a
      A use-after-free vulnerability in the Linux Kernel traffic control index filter (tcindex) can be exploited to achieve local privilege escalation. The tcindex_delete function which does not properly deactivate filters in case of a perfect hashes while deleting the underlying structure which can later lead to double freeing the structure. A local attacker user can use this vulnerability to elevate its privileges to root.
      We recommend upgrading past commit 8c710f75256bb3cf05ac7b1672c82b92c43f3d28.

    • CVE-2023-1855 CVSSv3 score: 6.3(Medium)
      A use-after-free flaw was found in xgene_hwmon_remove in drivers/hwmon/xgene-hwmon.c in the Hardware Monitoring Linux Kernel Driver (xgene-hwmon). This flaw could allow a local attacker to crash the system due to a race problem. This vulnerability could even lead to a kernel information leak problem.

    • CVE-2023-1989 CVSSv3 score: 7(High)
      A use-after-free flaw was found in btsdio_remove in drivers\bluetooth\btsdio.c in the Linux Kernel. In this flaw, a call to btsdio_remove with an unfinished job, may cause a race problem leading to a UAF on hdev devices.

    • CVE-2023-1990 CVSSv3 score: 4.7(Medium)
      A use-after-free flaw was found in ndlc_remove in drivers/nfc/st-nci/ndlc.c in the Linux Kernel. This flaw could allow an attacker to crash the system due to a race problem.

    • CVE-2023-23004 CVSSv3 score: 5.5(Medium)
      In the Linux kernel before 5.19, drivers/gpu/drm/arm/malidp_planes.c misinterprets the get_sg_table return value (expects it to be NULL in the error case, whereas it is actually an error pointer).

    • CVE-2023-25012 CVSSv3 score: 4.6(Medium)
      The Linux kernel through 6.1.9 has a Use-After-Free in bigben_remove in drivers/hid/hid-bigbenff.c via a crafted USB device because the LED controllers remain registered for too long.

    • CVE-2023-28466 CVSSv3 score: 7(High)
      do_tls_getsockopt in net/tls/tls_main.c in the Linux kernel through 6.2.6 lacks a lock_sock call, leading to a race condition (with a resultant use-after-free or NULL pointer dereference).

    • CVE-2023-30456 CVSSv3 score: 7.8(High)
      An issue was discovered in arch/x86/kvm/vmx/nested.c in the Linux kernel before 6.2.8. nVMX on x86_64 lacks consistency checks for CR0 and CR4.

    • CVE-2023-30772 CVSSv3 score: n/a
      The Linux kernel before 6.2.9 has a race condition and resultant use-after-free in drivers/power/supply/da9150-charger.c if a physically proximate attacker unplugs a device.

  • nvidia-drivers (Alpha, Beta, Stable, LTS)

    • CVE-2022-31607 CVSSv3 score: n/a
      NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer (nvidia.ko), where a local user with basic capabilities can cause improper input validation, which may lead to denial of service, escalation of privileges, data tampering, and limited information disclosure.
    • CVE-2022-31608 CVSSv3 score: n/a
      NVIDIA GPU Display Driver for Linux contains a vulnerability in an optional D-Bus configuration file, where a local user with basic capabilities can impact protected D-Bus endpoints, which may lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering.
    • CVE-2022-31615 CVSSv3 score: n/a
      NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer, where a local user with basic capabilities can cause a null-pointer dereference, which may lead to denial of service.
    • CVE-2022-34665 CVSSv3 score: n/a
      NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability in the kernel mode layer, where a local user with basic capabilities can cause a null-pointer dereference, which may lead to denial of service.
    • CVE-2022-34666 CVSSv3 score: 5.5(Medium)
      NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability in the kernel mode layer, where a local user with basic capabilities can cause a null-pointer dereference, which may lead to denial of service.
    • CVE-2022-34670 CVSSv3 score: n/a
      NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer handler, where an unprivileged regular user can cause truncation errors when casting a primitive to a primitive of smaller size causes data to be lost in the conversion, which may lead to denial of service or information disclosure.
    • CVE-2022-34673 CVSSv3 score: 7.3(High)
      NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer (nvidia.ko), where an out-of-bounds array access may lead to denial of service, information disclosure, or data tampering.
    • CVE-2022-34674 CVSSv3 score: n/a
      NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer handler, where a helper function maps more physical pages than were requested, which may lead to undefined behavior or an information leak.
    • CVE-2022-34676 CVSSv3 score: 7.8(High)
      NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer handler, where an out-of-bounds read may lead to denial of service, information disclosure, or data tampering.
    • CVE-2022-34677 CVSSv3 score: 7.1(High)
      NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer handler, where an unprivileged regular user can cause an integer to be truncated, which may lead to denial of service or data tampering.
    • CVE-2022-34678 CVSSv3 score: 5.5(Medium)
      NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability in the kernel mode layer, where an unprivileged user can cause a null-pointer dereference, which may lead to denial of service.
    • CVE-2022-34679 CVSSv3 score: n/a
      NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer handler, where an unhandled return value can lead to a null-pointer dereference, which may lead to denial of service.
    • CVE-2022-34680 CVSSv3 score: n/a
      NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer handler, where an integer truncation can lead to an out-of-bounds read, which may lead to denial of service.
    • CVE-2022-34682 CVSSv3 score: n/a
      NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer, where an unprivileged regular user can cause a null-pointer dereference, which may lead to denial of service.
    • CVE-2022-34684 CVSSv3 score: 7.1(High)
      NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer (nvidia.ko), where an off-by-one error may lead to data tampering or information disclosure.
    • CVE-2022-42254 CVSSv3 score: 7.8(High)
      NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer (nvidia.ko), where an out-of-bounds array access may lead to denial of service, data tampering, or information disclosure.
    • CVE-2022-42255 CVSSv3 score: 7.8(High)
      NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer (nvidia.ko), where an out-of-bounds array access may lead to denial of service, information disclosure, or data tampering.
    • CVE-2022-42256 CVSSv3 score: 7.8(High)
      NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer (nvidia.ko), where an integer overflow in index validation may lead to denial of service, information disclosure, or data tampering.
    • CVE-2022-42257 CVSSv3 score: 7.3(High)
      NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer (nvidia.ko), where an integer overflow may lead to information disclosure, data tampering or denial of service.
    • CVE-2022-42258 CVSSv3 score: 7.3(High)
      NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer (nvidia.ko), where an integer overflow may lead to denial of service, data tampering, or information disclosure.
    • CVE-2022-42259 CVSSv3 score: 5.5(Medium)
      NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer (nvidia.ko), where an integer overflow may lead to denial of service.
    • CVE-2022-42260 CVSSv3 score: n/a
      NVIDIA vGPU Display Driver for Linux guest contains a vulnerability in a D-Bus configuration file, where an unauthorized user in the guest VM can impact protected D-Bus endpoints, which may lead to code execution, denial of service, escalation of privileges, information disclosure, or data tampering.
    • CVE-2022-42261 CVSSv3 score: n/a
      NVIDIA vGPU software contains a vulnerability in the Virtual GPU Manager (vGPU plugin), where an input index is not validated, which may lead to buffer overrun, which in turn may cause data tampering, information disclosure, or denial of service.
    • CVE-2022-42263 CVSSv3 score: n/a
      NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer handler, where an Integer overflow may lead to denial of service or information disclosure.
    • CVE-2022-42264 CVSSv3 score: 7.8(High)
      NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer, where an unprivileged regular user can cause the use of an out-of-range pointer offset, which may lead to data tampering, data loss, information disclosure, or denial of service.
    • CVE-2022-42265 CVSSv3 score: 7.1(High)
      NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer (nvidia.ko), where an integer overflow may lead to information disclosure or data tampering.

Best,
The Flatcar Container Linux Maintainers

Reply all
Reply to author
Forward
This conversation is locked
You cannot reply and perform actions on locked conversations.
0 new messages